Breakingviews - BA is guinea pig for tougher EU data rules

British Airways logos are seen on tail fins at Heathrow Airport in west London, Britain, February 23, 2018

LONDON (Reuters Breakingviews) - British Airways is a test case for how harsh Europe’s new data rules are in practice. The airline said late on Thursday that some customer payment records had been stolen. Companies used to shrug off such attacks. But this breach comes after tough data protection laws were introduced in May. Now that non-compliance means fines, such lapses can hit investors as well as customers.

As much as 528 million pounds was wiped off the market value of IAG, BA’s parent company, on Friday, after the airline said sophisticated hackers had managed to obtain details of 380,000 customer payments. The drop in the share price reflected fears that IAG could be fined as much as 4 percent of its global revenues if it is found to have breached the data rules, known as GDPR. Were the maximum penalty to be applied to IAG’s 2017 sales of 23 billion pounds, the penalty would be nearly 920 million pounds.

Before GDPR, the UK regulator could at most fine companies 500,000 pounds for such breaches. Potential reputational damage was the biggest concern during previous cyber attacks. That explains why the share price of ad group WPP barely moved last year when their systems were hit.

Granted, British Airways may get some credit for swiftly alerting customers, regulators, and the police about the data breach. The airline also managed to safeguard customers’ passport details, a much more valuable source of data to hackers who can sell such sensitive data to identity thieves. But the incident will also underscore the need to invest enough in cyber defences to prove that enough is being done to safeguard sensitive client data. Senior staff who have a good understanding of how best to prevent such attacks will also be at a premium. That all entails extra costs over time for a company that is already facing higher fuel charges and greater competition from cheaper rivals. The data breach will irk affected customers who could need new credit cards. The financial cost, however, will fall on shareholders who may over time have to accept a lower profit.

Breakingviews

Reuters Breakingviews is the world's leading source of agenda-setting financial insight. As the Reuters brand for financial commentary, we dissect the big business and economic stories as they break around the world every day. A global team of about 30 correspondents in New York, London, Hong Kong and other major cities provides expert analysis in real time.